In early January 2026, KrebsOnSecurity unveiled the alarming revelation of a security researcher’s discovery of a critical vulnerability that had been exploited to construct Kimwolf, a botnet that has since become the world’s largest and most disruptive. Since this exposure, the individual orchestrating Kimwolf, known online by the moniker "Dort," has unleashed a relentless torrent of malicious activities. This onslaught has included widespread distributed denial-of-service (DDoS) attacks, doxing campaigns, and email flooding aimed at the original researcher and this author. More recently, Dort’s actions escalated to orchestrating a swatting incident, resulting in a heavily armed police team being dispatched to the researcher’s home. This investigative report delves into what can be ascertained about Dort’s identity and operations based on publicly available information and digital footprints.

A public "dox" originating in 2020 asserted that Dort was a teenager from Canada, born in August 2003, who operated under the aliases "CPacket" and "M1ce." A thorough examination of the username "CPacket" on the open-source intelligence platform OSINT Industries reveals a GitHub account associated with both the Dort and CPacket identities. This account was established in 2017 and linked to the email address [email protected].

The cyber intelligence firm Intel 471 has provided crucial data indicating that the email address [email protected] was actively used between 2015 and 2019 to create accounts on various cybercrime forums. These include prominent platforms like Nulled, where the username was "Uubuntuu," and Cracked, where the user was identified as "Dorted." Intel 471’s findings further suggest that both of these forum accounts were created from the same Internet Protocol (IP) address originating from Rogers Communications in Canada, specifically 99.241.112.24.

Dort initially rose to prominence within the gaming community, particularly in the immensely popular Microsoft game Minecraft. There, Dort became known for developing and distributing "Dortware," a suite of software tools designed to facilitate cheating within the game. This early foray into exploiting game mechanics marked a transition from recreational hacking to enabling more serious criminal endeavors.

Another alias associated with Dort is "DortDev." This identity was active in March 2022 on the chat server of the notorious cybercrime syndicate known as LAPSUS$. In this capacity, Dort offered services for the creation of temporary email addresses, alongside "Dortsolver," a sophisticated piece of code capable of circumventing various CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) services. These services were designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land, a Telegram channel specifically dedicated to SIM-swapping and account takeover activities.

The cyber intelligence firm Flashpoint has documented posts from 2022 on SIM Land attributed to Dort. These records indicate that Dort developed the disposable email and CAPTCHA bypass services in collaboration with another hacker who used the handle "Qoft." In a 2022 exchange, Qoft explicitly stated, "I legit just work with Jacob," referring to Dort as their exclusive business partner. In the same conversation, Qoft boasted that they had collectively stolen over $250,000 worth of Microsoft Xbox Game Pass accounts. This illicit gain was achieved by developing a program that mass-generated Game Pass identities by leveraging stolen payment card data.

The identity of "Jacob," mentioned by Qoft as their business partner, has been further illuminated through data from the breach tracking service Constella Intelligence. Their analysis reveals that the password associated with [email protected] was reused by only one other email address: [email protected]. This finding aligns with the 2020 doxing information, which stated Dort’s date of birth as August 2003 (8/03).

Who is the Kimwolf Botmaster “Dort”?

A deeper dive into this email address using DomainTools.com uncovers its use in 2015 for registering several Minecraft-themed domain names. These registrations were all assigned to a Jacob Butler residing in Ottawa, Canada, and were linked to the local phone number 613-909-9727.

Constella Intelligence data further shows that [email protected] was used to create an account on the hacker forum Nulled in 2016. Additionally, it was used to establish the username "M1CE" on Minecraft. By pivoting off the password associated with their Nulled account, researchers discovered it was shared across the email addresses [email protected] and [email protected]. The latter address is particularly significant, as it is associated with a domain belonging to the Ottawa-Carleton District School Board, suggesting a connection to an educational institution.

Data compiled by the breach tracking service Spycloud indicates that, at one point, Jacob Butler shared a computer with his mother and a sibling. This familial connection might explain why their email accounts were linked to the password "jacobsplugs." Neither Jacob Butler nor any other members of the Butler household responded to multiple requests for comment.

The open-source intelligence service Epieos has identified that [email protected] was used to create the GitHub account "MemeClient." Concurrently, Flashpoint has indexed a now-deleted anonymous post on Pastebin.com from 2017. This post declared that MemeClient was the creation of a user named CPacket, one of Dort’s earlier known monikers.

The intense and aggressive reaction from Dort stems from a KrebsOnSecurity article published on January 2, 2026, titled "The Kimwolf Botnet is Stalking Your Local Network." This article detailed research conducted by Benjamin Brundage, founder of the proxy tracking service Synthient. Brundage’s investigation revealed that Kimwolf botmasters were exploiting a little-known vulnerability in residential proxy services. This weakness allowed them to infect poorly secured devices, such as TV boxes and digital photo frames, that were connected to the internal, private networks of proxy endpoints.

By the time this exposé went live, Brundage had successfully notified most of the vulnerable proxy providers, who subsequently patched the exploited weaknesses. This remediation effort significantly hampered Kimwolf’s ability to propagate. Within hours of the article’s publication, Dort established a Discord server impersonating KrebsOnSecurity and began disseminating personal information and issuing violent threats against Brundage, this author, and other individuals involved.

Last week, Dort and associates utilized the same Discord server, then named "Krebs’s Koinbase Kallers," to orchestrate a swatting threat against Brundage. They again posted his home address and personal details. Brundage confirmed to KrebsOnSecurity that local law enforcement officers visited his residence in response to a swatting hoax that coincided with another server member posting an image of a door and taunting Brundage further.

A user on the server then linked to a highly offensive and explicit new Soundcloud diss track recorded by the user DortDev. The track included a pinned message from Dort stating, "Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch." The diss track itself contained lyrics such as, "It’s a pretty hefty penny for a new front door. If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?"

Who is the Kimwolf Botmaster “Dort”?

With a degree of irony, the hope is that Dort will soon be in a position to personally experience and articulate the consequences of such actions.

Update, 10:29 a.m.: Jacob Butler has responded to requests for comment, engaging in a brief telephone conversation with KrebsOnSecurity. Butler stated that he did not notice earlier requests for comment because he has largely been offline since 2021, following multiple swatting incidents at his home. He acknowledged creating and distributing a Minecraft cheat program in the past but insisted he had not played the game in years and denied any involvement in Dortsolver or other activities attributed to the Dort nickname after 2021.

"It was a really old cheat and I don’t remember the name of it," Butler said regarding his Minecraft modification. "I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest."

When asked about his current occupation, Butler stated that he primarily stays at home and assists his mother, citing struggles with autism and social interaction. He maintains that someone must have compromised one or more of his old accounts and is impersonating him online as Dort. "Someone is actually probably impersonating me, and now I’m really worried," Butler said. "This is making me relive everything."

However, discrepancies exist within Butler’s timeline. For instance, the voice of Jacob in the phone conversation bore a striking resemblance to the voice of Jacob/Dort heard in a September 2022 Clash of Code competition recording between Dort and another coder. In that recording, around the 6-minute and 10-second mark, Dort unleashes a profanity-laced tirade that mirrors the expletive-laden content in the diss rap posted by Dortdev threatening Brundage. Dort’s voice is audible again around the 16-minute mark, and at approximately 26:00, Dort threatens to swat his opponent.

Butler countered that the voice in the recording was not his, but rather that of an impersonator who had likely cloned his voice. "I would like to clarify that was absolutely not me," Butler stated. "There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff."